Bitcoin7 keep the records with extreme accuracy, there is really nothing to be fixed.
Topic: Bitcoin7 a new exchange - page 5. (Read 20834 times)
It's not that they didn't fix it that's disturbing, it's the fact they don't even acknowledge it is an issue that is.
You are right, the floating point issue is the only one where they didn't immediately respond with "it's being fixed right now", for reasons i could only speculate about. Still, that doesn't change the other points i made in my posting. Please don't single out one issue like this, it's a bad habit in debating.
they're also very quick in acknowledging and fixing mistakes
Well, actually no, they could have said something like "hey yeah that's right, we should store amounts in decimal, not in floats", but instead, the answer was pretty much just marketing talk. please read the whole thread
Wow, you guys are hyper-critical. Why so much hate in your reaction? I mean some posters on this forum outright said that just because they're from Bulgaria it must mean they are scammers.
I don't think bitcoin7 did a perfect start either and there's still obviously a lot to be done on their site, but at least they are very proactive about it, fixing things within minutes of reports coming in, communicating a lot in emails and on forum, trying to be helpful, etc..
They have a total of 400 Bitcoins traded as of now, this exchange just opened, but you all expect perfection right from the start?!
Yes they made some mistakes, like copying that text from Tradehill and having security holes, but they're also very quick in acknowledging and fixing mistakes; which shows, at least to me, that they're honestly trying their best to provide a good service to us.
I don't think bitcoin7 did a perfect start either and there's still obviously a lot to be done on their site, but at least they are very proactive about it, fixing things within minutes of reports coming in, communicating a lot in emails and on forum, trying to be helpful, etc..
They have a total of 400 Bitcoins traded as of now, this exchange just opened, but you all expect perfection right from the start?!
Yes they made some mistakes, like copying that text from Tradehill and having security holes, but they're also very quick in acknowledging and fixing mistakes; which shows, at least to me, that they're honestly trying their best to provide a good service to us.
From this topic:
we don't store in floats. We keep the accuracy up to floats, but store numbers in a more "integer" way. I can't share more on the technical side of this matter
You should, because "we store numbers in a more integer way" is hardly reassuring.
bittersweet, digging further on this will help neither the users nor Bitcoin7.
This is not true - stuff like this is prevented by the same origin policy. (Think about it: if that was possible, you could also load Facebook.com in an iframe and then - provided the user is logged in - call all sorts of functions with javascript). You can only access the iframe from code, that comes from the same domain.
I stand corrected on this one Security is no joke indeed, thanks for reporting.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.
Still easy to exploit.
Malicious page has an 1px * 1px iframe displaying the withdraw page, populates and posts form through javascript with the added bonus that it can parse the DOM to figure out your exact (well floating point exact XD) BTC balance before withdrawing it.
* davout heads to bitcoin-central.net to add a PIN code 
This is not true - stuff like this is prevented by the same origin policy. (Think about it: if that was possible, you could also load Facebook.com in an iframe and then - provided the user is logged in - call all sorts of functions with javascript). You can only access the iframe from code, that comes from the same domain.
This might just get dangerous when combined with cross-site scripting: If you manage to feed the webserver some data that it will display back to you unescaped, you can then get your code to come from the same domain and can do these sort of things.
Ok, so:
- Site is exploitable
Oh, not just exploitable. Exploitable as in Sony.
Ok, so:
Yeah... thanks but no thanks
- Text was copied
- Coins are stored as floats and apparently this won't change
- Site is exploitable
Yeah... thanks but no thanks
Security is no joke indeed, thanks for reporting.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.
Still easy to exploit.
Malicious page has an 1px * 1px iframe displaying the withdraw page, populates and posts form through javascript with the added bonus that it can parse the DOM to figure out your exact (well floating point exact XD) BTC balance before withdrawing it.
* davout heads to bitcoin-central.net to add a PIN code
Yup. I'm adding a framebreaker to Ubitex.org (although since I don't handle money, not nearly as bad.)
Security is no joke indeed, thanks for reporting.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.
Still easy to exploit.
Malicious page has an 1px * 1px iframe displaying the withdraw page, populates and posts form through javascript with the added bonus that it can parse the DOM to figure out your exact (well floating point exact XD) BTC balance before withdrawing it.
* davout heads to bitcoin-central.net to add a PIN code
http://pastehtml.com/!!!!view/axb1k7j2w.html
sells 1 coin at $0.5.
At this point, I'd have to say, kill your webserver until you can get a professional auditor in. This site shouldn't be handling money.
sells 1 coin at $0.5.
At this point, I'd have to say, kill your webserver until you can get a professional auditor in. This site shouldn't be handling money.
Security is no joke indeed, thanks for reporting.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.
In the interests of getting to to SHUT DOWN EVERYTHING... you need to.
http://pastehtml.com/!!!!view/axb1k7j2w.html
remove the !!!! if you really want to attack yourself.
Ta-da. Your coins are now in instawallet.org/w/foo.
Security is no joke.
http://pastehtml.com/!!!!view/axb1k7j2w.html
remove the !!!! if you really want to attack yourself.
Ta-da. Your coins are now in instawallet.org/w/foo.
Security is no joke.
@ Cuddlefish, I PMed you for more details.
That's ridiculous, the CSRF exploit is trivial, someone logged into your site, visiting a malicious site can have all his funds withdrawn at a whim.something along the lines of this :
Code:
And that's only the first thing that has been spotted.
Advice : shut down your site, get some professionnals, open it back up when it's finished and secure.
@ Cuddlefish, I PMed you for more details.
Bitcoin7.com...
you have a GIANT CSRF vulnerability on the Withdrawals page.
Fix it.
you have a GIANT CSRF vulnerability on the Withdrawals page.
Fix it.
You cant even send bitcoins. This thing either is a giant theft opt or a money laundering ring out of Sophia. My money on the later
I haven't yet tried sending any (I just transferred some USD from MtGox to buy the cheap 18 USD Bitcoins, that were unfortunately gone until my USD got credited) - but generally you should just mouse over the bitcoin amount in the top right corner and click "Add Bitcoins"... does this not work?!Edit:
"You have successfully withdrawn x.xxxxxxxx42 BTC to your Bitcoin wallet"
I wonder if the .42 Satoshis show up!
So far every trade went fine though and once (if...) the floats are fixed, I might even use the exchange. Sofia is a nice city anyways and I won't have to go to a bank/exchange to get BGN this way.
You cant even send bitcoins. This thing either is a giant theft opt or a money laundering ring out of Sophia. My money on the later
Bitcoin7 keep the records with extreme accuracy, there is really nothing to be fixed.
Isn't it incredible how much a simple sentence can reveal?It is impossible to represent integers accurately in floating point, no matter what precision one use. Any mediocre programmer will know that. And if one doesn't know that Bitcoins are integers, one should probably not operate an exchange in the first place. This simple sentence tells us that the exchange is written by an incompetent programmer who hasn't got much clue about Bitcoin either.
Even if it looks like it works on first sight, it is probably insecure. I wouldn't trust it with a bitcent, or 0.009999999776482582092285156250 BTC at Bitcoin7, probably rounded in the user interface. Would I be able to withdraw the bitcent again, or would I have insufficient funds? I'll let someone else find out, and have fun profiting from rounding errors.
Jump to: